- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Some VPN users can't get internet access
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Some VPN users can't get internet access
I have a Fortigate 60E for our small network and created some VLANs to separate the VOIP, CCTV, Servers, Laptops, etc. The VLAN side works fine and as expected, even the routes from laptops to server DNS, DC, File Shares, etc is working. However since doing these changes, the VPN is playing up a bit.
Everyone can connect to the VPN and get an internal IP, some users work fine with internet access but others cant get internet access whilst on the VPN and only an internal IP.
It feels like a DNS issue to me. Initially we had the VPN give out our internal DNS server (which is on a separate vlan) but this didn't work. I have also set it to use the client's system DNS and it gives them their home router DNS but again internet doesn't work for those users.
Looking for pointers, is it some additional routing I need to setup for the VPN after setting up VLANs. Below are the relevant firewall policies we have in place (appreciate they not much help as just the names, just trying to show what we have setup).
SSL_VPN_Internet_Access
SSL_VPN_Internal_Access
Laptops_to_Internet
Laptops_to_Servers (restricted ports)
Servers_to_Internet (restricted ports)
To add I have read it requires Split Tunnel but we have a ipv4 policy setup for internet access so dont think this is required?
Solved! Go to Solution.
Labels:
- Labels:
-
FortiClient
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Adrian, doing the nslookup using 8.8.8.8 DNS works and if I set the config in the Fortigate SSL-VPN settings to use that DNS server then internet access works. Still confused as to why the client ISP DNS doesn't work especially when they can use internet when not on vpn at home.
I guess now I need to get the VPN working with our internal DNS Server so they can access internal resources (file servers). Since we have VLANs do I need some ipv4 policy from SSL-VPN tunnel to Servers VLAN, so it would allow the DNS through?
I checked and all policies have NAT enabled
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thank you for your question. If you have firewall policy to allow internet access to SSLVPN users, you should be fine without split-tunneling. I would test couple of things:
- Users having issues with internet access, ask them to ping some public IP (8.8.8.8 for example). If this is working, it can confirm that the problem might be with DNS.
- Try to do nslookup from PC with different DNS servers. If ping to 8.8.8.8 is working, try to use 8.8.8.8 for dns ("nslookup www.example.com 8.8.8.8")
- If it does not work, try to do debug flow and packet capture for the SSLVPN client IP address and port 53 and try to see if traffic is not blocked (allow DNS in policy, make sure NAT is also enabled) and mainly check if the windows is correctly sending DNS request via tunnel so FortiGate sees them.
Adrian
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Adrian, doing the nslookup using 8.8.8.8 DNS works and if I set the config in the Fortigate SSL-VPN settings to use that DNS server then internet access works. Still confused as to why the client ISP DNS doesn't work especially when they can use internet when not on vpn at home.
I guess now I need to get the VPN working with our internal DNS Server so they can access internal resources (file servers). Since we have VLANs do I need some ipv4 policy from SSL-VPN tunnel to Servers VLAN, so it would allow the DNS through?
I checked and all policies have NAT enabled
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thanks for feedback. I have experience that some ISPs might block access to their DNS servers outside their network (from peering for example) and allow only from concentrators.
For your internal DNS yes, you will need firewall policy from SSLVPN to your server vlan with DNS service allowed, in this case NAT does not need to be enabled most of the time.
Adrian
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks its working again using our internal DNS. I created a policy to allow SSL to the orange VLAN and users can use the internet on the vpn using our DNS.
Appreciate the help
Created on
02-08-2023
08:56 AM
Edited on
02-08-2023
10:15 PM
By
Anthony_E
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jasetcs,
This is Manoj . I am facing the same issue with my network . I had to recently configure VLANS for my network. So I created SVI on my Arista switch and did an OSPF routing with Fortigate firewall. After that my SSL VPN users cant access iternet when they are connected through VPN. Can you please help how did you solve this . I already have a policy to access the SSL ROOT -> internal network full access policy. Do we need to ask another policy for DNS specifically..?/ Any help would be much appreciated.
Regards
Manoj Joseph
Related Posts
- Fortigates with PPPoE WAN suddenly need... 122 Views
- Help setting up internet access for... 147 Views
- FortiOS 7.2.4 IPSec split-tunnel breaks local... 177 Views
- SSO on Self-Service Portal FortiAuthenticator 112 Views
- FortiClient Azure SSO VPN issues 84 Views
Labels
-
FortiGate
6,489 -
FortiClient
1,294 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiSwitch
331 -
FortiAP
331 -
FortiClient EMS
260 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
57 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
18 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
FortiAuthenticator
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSID
6 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.